Empowering Teams to Exercise Judgement in Privacy Decisions

Privacy laws actually changes the view of data ownership. The owner of the data is not you. You are, as a company, enabled by the customer to take care of that data, to process that data in accordance to what they signed up for. Right? Based on legitimate interest. Beyond that, you need to tell the customer, because it's not your data, you don't own that data. It's owned by the customer. I think that is the main mind shift that customers need to have welcome to Privacy in Practice, the podcast where we bring you the latest insights, practical solutions and real world stories from the world of data protection and privacy. I'm Kelly Dupri. And I'm Dani Strachan. Privacy in Practice is brought to you by VeraSafe, your trusted partner in privacy and data protection. In this podcast, we dig into the challenges and opportunities in privacy compliance, from navigating complex regulations to building a sustainable privacy program that works for your business, not against it. So let's jump in and get practical with privacy. Our guest today is a privacy leader who brings a refreshing and insightful perspective to the role shaped not by a legal path, but by experience in marketing, product, media and executive leadership. We are absolutely delighted to welcome Leah Besa Jimenez to the podcast. Lea currently serves as Chief Data Privacy Officer and Group Head of Enterprise Risk Management at pldt, one of the largest and most influential companies in the Philippines. Before stepping into privacy leadership, Leah held roles across marketing, product, media convergence, mobile advertising, and even served as a CEO. Experiences that give her an unusually practical but business first lens on privacy and risk. Leah is widely respected for building privacy programs that are ethical, human centered, and operationally effective. She's a strong advocate for privacy by design as a conversation rather than a checklist, and for empowering teams to exercise sound judgment, not just to follow rules. So today we are very excited to explore how Leah has shaped one of the most impactful privacy programs in Southeast Asia and what other privacy leaders can learn from her journey. Welcome, Leah. Thank you. Thank you for inviting me, Leah. We're so excited about today's discussion and really looking forward to hearing from you and to learn from your experience in the trenches, as they say. But your background I find quite interesting. So often when we speak to privacy professionals, they have a background in law or there are lawyers obviously, or they are in IT or in technology somehow or information management. But I was very interested to discover that your background is in marketing, product management and media. So you're not a lawyer. How did that background shape your path into privacy leadership? I think we start off with me Being asked, right, to handle this. I started this entire journey with actually doing a marketing automation project for the group. Then, of course, we were in a panic because we had just spent a couple of million to actually implement this and the law was in effect, meaning the IRR was out. And we're like, wait, we can't launch this. This platform will go to waste. The consent, the notices have to be out. Consent preferences have to be out. What do we do? So we basically bugged Regulatory, one of the senior management executives, and said, we need to do something. We cannot, we cannot not do this. This is about revenue uplift and we cannot stop. The privacy should enable us. So what do we do to enable this program to actually happen? Because we can't stop. We just spent how much and the potential return is this much. And that cannot be realized. If we don't do this, we cannot be halted because of Regulatory. So we started the process and then at some point he said, okay, you have to come back. Because I was just a consultant during that time. I actually had planned to just do consulting to take it easier. And he said, no, you have to come back. You have to come back. And I was like, I was questioning him, like, why? Why? Why would you want me to come back? Like, well, you know, you understand the law. Because I actually, prior to doing the marketing automation, I used to handle the digital and the marked tech business of the group. So I understand the law, and it's also very heavily regulated during that time. That piece of business that I handled understand the law, you understand the technical, you understand the business and the group was what he said, I'm like, makes a lot of sense, but okay, fine. As a privacy leader, it is so important to make sure that you train your team to make your privacy program flow smoother, but also to make your life easier. And I think one of the critical skills that you need there is to make sure that your team members can exercise judgments. They need to be able to think for themselves. So if they are faced with a situation, they need to be able to make a call. If it needs to be done. So they should be able to say, no, this is not a problem because of X, or I know the law says this, or I know previously we've done that, or this is definitely a problem. We've seen this before. Or I've been taught that if this happens, I need to escalate it. But that then implies that your team members and the stewards and people in charge of business units and data sets can exercise judgment on their Own and decide, yes, it's okay or no, I should escalate that. How do you teach that judgment to people? How do you help them to be able to make that call on their own? Well, one, the reason we also put in risk matrix for assessment is to teach people to view things a certain way. Because sometimes when you're faced with a project, sometimes especially early on, you're like, I'm sorry, you're doing what? What are you doing? But when you're looking at numbers and you're rating it, then the question becomes, why is it a five again? Well, because of this, this, this. And it's a very. It's a calmer conversation because you actually quantified it. We've actually quantified the potential risk of this, right. From a financial, From a reputational, from the impact of the customer and impact to the company. So it becomes, oh, okay. So it's not just because this is how you understand the law. So that's one. Right. Another thing is how you give, how at least we give confidence to the team, especially the younger ones, is you model the behavior when you're in the room, right? And we actually ask them, what do you think? How. How would you assess it? And I always treat an opportunity, especially with the younger ones, as a way to coach, not necessarily mentor, because the mentor, I'll tell you exactly what you should be doing. But to coach is to nudge what they should be looking at or what they should be widening their view on certain things because then it's something that they will take and repeat the behavior. Because I'm not telling them exactly what to do, right? I'm just widening your potential perspective of the situation. Even let's say there's an incident, right? If there's an incident, I always say, okay, actually, the first thing I'll say, what are we not seeing? Because it's impossible. We're seeing everything. It's impossible, right? Especially when people are in a panic and people again, when they know it's a potential breach. There's an emotional aspect to it. You want to make sure you nip things in the bud, right? So I always take a step back and say, what are we not seeing? This is. I think one of the things we really wanted to drill into today is exactly this piece of what you've said, both the how do you set up a big company organization and privacy that functions and understanding. I love what you said about it being behavioral, economic. And so what I'm hearing in your answer is we need a structure. So that we guide people, you know, like our game theory or our behavioral economics or whatever is structured to win. We go this way. You nudge it a certain way. Right, yeah, exactly, exactly, exactly. So you have to put the structure in place. And we're definitely going to want to ask you a lot of questions about your risk matrix, because I love it, really love it. And then, but then it's also, it's not just that. It's also the sort of behavioral side of the behavioral economics, the psychology side of putting the questions back on the team and empowering the team. And I think, I mean, it's amazing how often there's no law in any of that. I mean, there's law, I suppose, in setting up the risk matrix. But, you know, if, if you start and end your privacy work on, well, let me go read the regulations. It's. It's a tougher, much tougher job. Yeah, because it's not. I mean, privacy by design is a behavior. It's not just a process. Right. So if you actually want people to think privacy first or privacy by default, all of these buzzwords or buzz phrases that in privacy conferences, it's cultural and it starts with every interaction that you have in not just the proponents, but also in your team. So first you need to equip them with a way of viewing things so that they can have that conversation. They can assess on their own and have the confidence to actually tell. No, I think we have a problem because it starts with that. It doesn't have to be a judgment yet. Even when people show me and tell me an incident, their first phrase is not we have an incident. It's always, I think we have a potential incident. Then it's something that we need to, to further look into. Because how do you, how do you. That's a, that's a risk. Because then the vulnerability is not just one incident. The vulnerability, the risk is systemic. Right. So you can't uncover that if you don't ask those questions. And I, I think one thing we really want to talk about is what is risk? How do we understand risk as an organization? How do you go about thinking about what is a risk? What is, you know, what, what is. And I think every organization struggles with this differently. Every organization needs to define it for themselves differently. But we, I mean, for us, I think even as an organization, not even in our work externally, like something we talk about a lot, is sort of the hidden costs of a change. Like, every change has a cost, every change has a benefit, and every change has a cost. And I think most people focus on the benefit and it's a great idea because it will make us money, because we have to do it, because everyone else is doing it. Because whatever the, the thing is, it'll be more efficient, it'll be whatever. And it's really hard sometimes to train people to slow down and think through all of the risks. And I maybe. Could you speak to that a little bit Leah, like what have you. So I can just say for us, some of the risks are it'll be complicated, so we'll make mistakes or it will change the process. So that might, that'll cause confusion. Or how will we scale if we change this? Or you know, sort of those sorts of like really weedy process, 80% process problems. Can you speak a little bit about how your sense of risk has evolved and what you guys look at and how you identify what is part of the risk calculus? So for, from a risk standpoint, we actually look at. So we have, based on ISO of risk management, it's a five point scale, right. And it's about impact and likelihood. So that's the formula. The impact of this potential risk and what is the likelihood. Right. Of the event, of the risk event being actualized, materializing. Right. Therefore it makes the actual impact greater. Right. So in terms of privacy, it needs to be dimensionalized. I think in any practice, whether it's talking about privacy or we're talking about cybersecurity, you need to dimensionalize it. You cannot look at. Because while I also had enterprise risk, where I'm looking at it from an enterprise wide, I don't look at it from an operations. Right. Specific operations. But when you talk about specific operations, they need to dimensionalize it against the impact of that risk to company and to potential customers, if ever. Right. Because let's say privacy, privacy, the way we do it in privacy, we dimensionalize between impact to customer and impact to compliance, which is the law. And in the impact to customer, it's further broken down into what is the potential impact of causing harm to customers. Right. If something happens, if this flaw is not resolved. Right. And what is the cost of exercise of rights? Because there's also cost to exercise of rights answering them, making the changes. Right. There's cost to that, there's manpower, cost to that manpower and even OPEX costs to any changes that is required. So there we dimensionalize that and we have scenarios against each one to be able to calculate is it high or is it medium, is it low? And we started having that conversation since 2022 actually and like I said, because the conversation is very objective and it's quantifiable, then it becomes less emotional and less. Because you just don't like us or you don't understand us. You don't understand how much this matters. My annual performance review is tied to my ability to blah, blah, blah. Yeah, right, right. And the funny thing is, when we started, because we came from that side, people are used to having conversations with me and my team that are very solution driven. But when you're handling privacy, it's a conflict of interest for us to actually tell you exactly what to do. So we also had to devise a way to give assessment that provides options. Choose your poison, which one are you going to do? And then you pick. Pick your path. Pick your path. And each path is a corresponding risk. Right. But it's up to you. We always say, it's not up to us, it's up to you. Our job is to tell you exactly what you are risking with each path. Or if this is not done, this is the risk involved. But we do not make the decision in the beginning. That's very difficult for business because again, having worked with me and my team, they're used to us having a very strong opinion of how to execute things. And now we have to restrain ourselves. Like, oh, you know, even if you know exactly what to do, right? Like, no, that's not how you do it. No, no, no, you do it this way. Now our job is no, you need to educate, you need to nudge, give them options. If you're so if you feel they're still not getting it, then give them option A to C, pick which one. Then let them think. Because you will never be able to achieve a level of. They won't be able to achieve a level of confidence in understanding privacy and embedding it into the practice, into the development life cycle. If you always give them the answer and you don't make them process the situation. So we take the opportunity in every assessment to educate because that's the only way. So it's a longer route, but it teaches them to apply those principles regardless of what role they handle next. I think the benefit of us being outside advisors is that, and I find some comfort in this, is the fact that we don't have to make the decision. So we're sort of similar to your role where you can say, well, here are your options. I can't tell you what to do. Maybe this is a better option. Of course, for us as advisors, it helps if we've been working with clients for a while to really become, we tried really to become part of the client's team. So you develop that intuition so you can come up with advice. That's right, that has the right options. But one of those options should at least work for the business because otherwise it's not useful advice. It also depends on your organization because for some organizations risk means we don't want to get fined because we're in a heavy leverage regulated industry and we could lose our license in another industry, risk is we could lose customers because our whole business revolves around customers. Many of our clients are life sciences companies and they run clinical trials. It's a major risk for them if something in the privacy program could cause a situation where they can't go ahead with a trial at a specific site or they can't get some approval or some submission bombs out because there's some kind of privacy issue. So it really depends on your organization, I think, to figure out what risk is. Yeah, organization and the industry, you know, health is going to be so critical. I don't even know whether you can document a lot of those risk. But in telco you can, right? In banking you can. And you have a very, the practice of risk in banking is very, you know, it's embedded in, in what they do because of regulatory performance. Right. For telco it's not. I'm actually very surprised because my team, one of my, you know, my heads, one of my, one of my one downs, took his certification and of course they were sharing a lot of the things that we were doing because we just, we just launched AGENTIC for risk assessment. AGENTIC AI for risk assessment. And we're like a lot of the practitioners, like, oh, you're way ahead. I'm like, okay. Because again, we view risk as data points. I think that's the first difference when it comes to risk management. Each risk is a data point. It's not a feeling. It's not a feeling. Sometimes you got to work through the feelings to get to the data points. But it is work through the feelings. But it's a data point. It's a data point that you can input somewhere, but it has to be consistent. And maybe it would be helpful for people if we. Like, I think that all sounds good in theory. And then the practical implication of it, I mean, your example, Donnie, of the clinical trial sponsor versus like a SAS processor client is a good one. And maybe we could think about risk. In your risk matrix, Leah, you have a section on exercise of data subject rights. And I think that that's a great example. So in some industries, what you might break it down to consider is will this mean that people can't, like a lot of people can't exercise their rights? Will this mean that some people can't exercise this. Their rights? Will this mean that people can exercise their rights but it will take us longer? Or it might, we might screw it up or like it's just going to mess with our process. Is it the, you know, or is it the case that this change means that most people will be totally fine, but there might be a few hiccups on the side? Or is this really fine? It fits within our existing process and, and in a clinical trial context, you might change it to. If one person can't have their trial data accurately recorded and, you know, there isn't an accurate process for consent withdrawal, like if it messes with that process, then we can't do it. It's full stop. Right. So you might have a different company risk profile for it. Like, you know, and that's kind of how you have to think about it. Like think about the topic narrow. Don't just think broadly. Think, break it into columns, break it into scenarios. And don't forget, it's not just about we can or we can't or we comply or we don't comply. It's also, how does this mess with our efficiency? How does this mess with our existing process? What's the manpower cost, as you said, Leah, what's the time cost? What's the trade off? What's the opportunity cost? And then break that into a matrix. I think that's, I think it's so helpful. Yeah. One of the things that we do from exercise of rights, it's part of the conversation already. When we do the assessment, we always look for it in the event. So we give them scenarios in the event that the customer wants to exercise their rights in the following. How are you going to do it? So in the beginning, of course, we're like, huh, they can do that? Yes, we are required to enable it. Right. So they need to include it in the development. They cannot not include it because we will look for it as part of the compliance review. That's that training and the questions you were talking about. Right, because they have to know that there's an access right and there's a deletion Right. And there's a. So they have to then be thinking about, okay, well, I want to do this new thing, but oh my gosh, how are we going to give this data to them? Like the access like, the way we want to store this in a database is messy, like. Yeah. And so it's that education. Yes. Which is why we. We insist on having the conversation, not the assessment. Tell us exactly what you guys want to do and then we'll give you guidance. Then we'll tell you the things that you need to plan for before you even write the business requirement document. Right. So they're thinking, okay, in the event. So they're thinking far ahead. Right. Instead of just, I need to launch this. Yeah, you need to launch that. But you also need to think about in the event that the customer wants to do this, what do I do? Okay. Right. So that's also part of what. They need to also talk to customer experience. So customer experience is actually one of our channels for exercise of rights. So even they will look for it. So they even ask, in the event that the customer wants to do this, what do we say? What channel do we actually check to be able to disable certain parts? So that's why I'm saying we need to. From what areas? I call them channels. Which part of the actual cycle do you need to plug? Or you need to actually put a guardrail. Right. So in terms of actual deployment, from a product standpoint, definitely that's one second. Your other guardrail will be customer experience because they are your frontliners for exercise of rights. If they don't get a way to enable it, it's part of their KPI because they're unable to fulf the requirement of the customer. Right. So that's how we looked at it. What are the guard. Where do we put the guardrails? When we started, we didn't say, no, you can't do anything without privacy. You just need to have it reviewed. I think it's so important to move to shift from fear to privacy as an enabler. I think that's a very really good point. In summary, and I think it's hard to do, and maybe it's slightly harder as external, I don't know, because I think often people come to us out of fear for some reason they have identified. I think that's always going to be the first. Right? Yes. Yeah. I can think of a couple of situations where, I mean, one of the organizations that we work with comes to mind where they came to us initially just to do a gap assessment because they said, you know, we need to look at privacy and we're not sure where the gaps are. And then suddenly, out of the blue, a very big court case arrived on their doorstep and suddenly There was a lot of fear and panic. And then privacy became less of a curious cur curiosity to a really key priority. And I think it's interesting because looking at it outside, it feels to me almost like privacy has changed their business culture. Now it's changed the ethos. Because I've been thinking as we've been sitting here, if you are faced with a difficult privacy decision, let's say there is no real answer the law doesn't have an answer for. It's not A or B. It's very gray. So you can go two ways. Which direction do you choose? And I think one of the best ways to make that decision, if all things are equal, is to follow your business's culture and your ethos. And is, are we a privacy first company? Are we a consumer first company? Are we a shareholders first company? That's also, I mean, legitimate. It really depends on your business, and your business needs to decide. But I find it's often easier if you are faced with one of these difficult decisions just to look at what your organization feels, how does it approach things? What is its meaning, mission, what is its vision? And it's all these soft things. But as a privacy leader, I think you really need to be ingrained in that you're not just sitting there in the corner giving answers to people about privacy questions. It's much more, I think being a privacy professional, you're actually in a privileged position because you're actually at the center of the organization, because you need to know how marketing feels about stuff, how HR feels about problems, how finance views a problem. And you basically have to have all of their voices in your head. And even as an external advisor, I don't think you can always give the best advice unless you really understand the client and you're part of their team and you understand this is their goal in their business. But often, I think moving from fear to. In this instance, there was a lot of fear, which obviously created a lot of momentum for the client to get going with their privacy program. But now they've totally overtaken all of that fear, and they're all just excited about privacy now, and it's for a part of their lives. So it's interesting. But I guess some organizations could get stuck in that fear, and that's. That's very difficult because then you become negative and you just see it as a block the whole time. But once you see that you can work with privacy and that you can make things work, and you can keep the financial side looking good, but also the customer is feeling good, I think then you feel more positive about it. I think one of the things that has, that we tried to shift, and we always keep on saying this when we would do our privacy roadshows in the beginning, is that data is not owned by us. We are merely stewards. Data is actually owned by the customer and they trust us to keep it safe. That I think is a mind shift already because a lot of times, I mean, not a lot of times, but there's this belief that that whole thing, data's the new goal, data, so on and so forth, like, yeah, but you don't really own it, guys, let's just break that right. Privacy laws actually changes the view of data ownership. The owner of the data is not you. You are as a company enabled by the customer to take care of that data, to process that data in accordance to what they signed up for, right? Based on legitimate interest. Beyond that, you need to tell the customer, because it's not your data, you don't own that data, it's owned by the customer. I think that is the main mind shift that customers need to have, companies need to have, which is very different from the 90s or early 2000s where data's the new oil, data's the so and so and so, and people kept on over collecting and like, why are we collecting this? And when I used to be in the marketing side and I remember, yeah, there was one marketing guy I actually asked because I was handling the data, the CRM part, and my question was, why are we removing this particular data? Or and then why are we adding this particular data? Because I want to know and how is it actionable? Right? And then there was even one response. No, because the farm is so long, I'm like, okay, collect data because you need it to do an action. You don't collect data because you feel you want to know something. And you know, it's not a feeling. There has to be a reason why, the legitimate reason why you are collecting the data. There has to be a shift in how people perceive the data that they've collected from customers. It's not yours, it is the customer's data. And that for me changes everything. It changes everything. It changes the way you protect. It changes the way what you are. Now what social, what corporate responsibility now encompasses, includes now privacy protection of data. It will affect that because again, the view of corporate social responsibility is just making sure that the communities that we work with so and so and so, right? That we don't affect the environment. But guess what? Socially privacy is part of that. The S in ESG includes privacy because, again, it's about people's data. It's not about companies owning that data. It's about customers having control of how their data is processed. I think companies need to get that. And the more they get that, the less fear they will have and they will move from ownership to stewardship, because that changes, that really changes the. It's a mind shift. I, I wonder if that's not like the perfect, like, takeaway, like ownership to stewardship. You know, I think that's like such a nice, I think that's such a, an extremely nice, simple way to kind of make an end point. Maybe it's an oversimplification, but the mere fact that you don't, you don't own. Companies don't own the data. They believe that they still own it. You own the thing that holds the data, the thing that processes the data, but the data itself is not yours. You are entrusted to use it properly against. Yes, to. So this whole journey from fear to sort of truly adopting privacy as enabler, this whole journey of teaching the team how to understand risk, how to, you know, set up the behavioral economics so that you get the outcome that you want, all those sorts of things, it does have a lot of steps. And, and what I heard you say over the course of this conversation is privacy roadshow, like, as an early step, I would imagine. And then I heard, you know, have a conversation. So there's a process, right? There's a business requirement document, there's the risk assessment, there's a whole infrastructure of, we'd like to engage this vendor, we'd like to do this new activity. But before that, I heard you say there's a conversation. And I, I, in an earlier conversation between the three of us, I know you train your people how to have that conversation, how to put the question back on the person who wants to do the change. Then, obviously you have the risk assessment, you have the business requirement case, and then it comes to your office. I think if this is, if I'm summarizing this correctly, to, to kind of say, options, you know, essentially, if they haven't been able to come up with their own options or they haven't presented they haven't done the process properly, that's when your office might have to be involved to say, yes, no, or check this option or consider this additional thing. But by the time you get to that point, I see maybe I got that slightly wrong. But by the time you get to that point, so much work has already been done that ideally, you very rarely are at that point of saying no or clarifying. We actually give the option within the conversation because we can spot it because of all of the assessments that we've done. We know where to draw from. We know where the potential risks are given the systems. We know what they need to look for or make sure that are in place. So we give those guidance. We actually give guidance within the conversation. So it doesn't seem like this is a compliance conversation. No, this is a conversation where we need to ensure that privacy is there by design. So it's privacy by design in action. Right? What's privacy default in action? Yeah, it's a solution oriented. Yeah. We have relationships with many clients. We've seen it in many different shapes and forms and we can listen to their feelings and their frustrations and validate them and say, yeah, that's a common problem. This is normal. And you also still have to do this. And we'll help you figure out how to do this. It's been great. Leah. Thank you so much for your time and all of your insights. I think it's been a really helpful conversation. It's been amazing. Thanks so much and let's stay in touch. Thank you. That's it for today's episode of Privacy in Practice, brought to you by VeraSafe. We hope today's insights help you navigate privacy challenges with confidence and clarity. If you enjoyed today's conversation, be sure to subscribe so you don't miss out on future episodes, and we'd love to hear from you, share your thoughts, questions or suggestions for future topics. Send us an email to podcasterisafe.com and to learn more about various VeraSafe's data protection and privacy services, you can visit us at verasafe. Com. Until next time, best of luck in approaching your privacy challenges in a practical way. See you then.